Previously, I had the pleasure of reviewing Spychips, a book which looked at the potentially malevolent (well, apocalyptic, reallly) implications of RFID (Radio Frequency ID) technology. Talk about taking all the fun out a subject.
Bill Glover and Himanshu Bhatt have written a perfectly well-ordered discussion of an RFID system. No doubt those banal servants of evil, the middle-managers, will find it useful.
One particularly intriguing section describes how, as a technology gains wider adoption, the scale of possible application moves from the company level to the industry level, to the overall economy. This may be a standard model by now, but it was new to me.
Spychips mavens will find little comfort here. The book essentially validates all the technical concerns raised in the book, although it does throw the timeline out further than Spychips does. Still, it takes security concerns seriously, and encourages managers to do so as well. From a business point of view, groups like CASPIAN are dealt with in classic crisis management fashion – bring them in, make them a part of the process, try to avoid making enemies unnecessarily.
The privacy chapter is much the same as the rest of the book, breaking down the issues into consumer privacy and system security, and trying to balance them with system availability. Both privacy and security are presented as a set of vulnerabilities and countermeasures, along with those countermeasures’ potential effects on system usefulness. (We are awaiting, without much hope, an announcement of O’Reilly’s forthcoming RFID Hacks.)
I did notice that a number of technical fixes were presented, without irony, as though they were universally accepted and agreed-upon. For instance, industry standard packaging is supposed to clearly reflect the presence of RFID chips. The fact is, some of these chips are well-disguised, whether by design or by a desire to keep a low profile. This is where it’s important to remember the intended audience.
That audience consists of technical managers trying to decide how to implement systems in accordance with the rules. For them, security and privacy are trade-offs, not absolutes. They’re also concerned about vulnerabilities, primarily to the extent that they can defeat the business uses of the system, with consumer protection a secondary, albeit important, concern. This isn’t evil; it’s just an agency cost of a new technology, although the industry didn’t help themselves with their initial undue secrecy. If TCP/IP had been subjected to the same scrutiny, you wouldn’t be reading these words right now.
The book is geared to the project manager with some technical background. While it doesn’t shy away from discussions of algorithms and protocols, it also doesn’t provide details about implementation. It’s the kind of book an informed manager wants, in order to be able to ask intelligent questions of his staff.